Device Class 5 Controls
Device Class 5 Security Requirements:
- Confidentiality: HIGH
- Integrity: HIGH
- Availability: HIGH
Devices of class 5 must meet controls from NIST 800-53 and ISO/IEC 15408 in the following areas:
- Access Control
- AC-2 Account Management (Class 3)
- AC-3 Access Enforcement (Class 1)
- AC-4 Information Flow Enforcement (Class 1)
- AC-6 Least Privilege (Class 3)
- AC-7 Unsuccessful Authentication Attempts (Class 1)
- AC-8 System Use Notification (Class 1)
- AC-11 Session Lock (Class 1)
- AC-12 Session Termination (Class 1)
- AC-17 Remote Access (Class 1)
- AC-18 Wireless Access (Class 3)
- AC-21 Information Sharing (Class 2)
- Audit and Accountability
- AU-2 Audit Events (Class 1)
- AU-3 Content Of Audit Records (Class 3)
- AU-4 Audit Storage Capacity (Class 1)
- AU-5 Response To Audit Processing Failures (Class 3)
- AU-7 Audit Reduction And Report Generation (Class 1)
- AU-8 Time Stamps (Class 1)
- AU-9 Protection Of Audit Information (Class 3)
- AU-10 Non-repudiation (Class 3)
- AU-12 Audit Generation (Class 3)
- Configuration Management
- CM-7 Least Functionality (Class 1)
- CM-11 User-installed Software (Class 1)
- Contingency Planning
- CP-12 Safe Mode (Class 1)
- Identification and Authentication
- IA-2 Identification And Authentication (organizational Users) (Class 3)
- IA-5 Authenticator Management (Class 1)
- IA-6 Authenticator Feedback (Class 1)
- IA-7 Cryptographic Module Authentication (Class 1)
- IA-11 Re-authentication (Class 1)
- Incident Response
- IR-5 Incident Monitoring (Class 1)
- IR-6 Incident Reporting (Class 1)
- Media Protection
- MP-3 Media Marking (Class 2)
- MP-4 Media Storage (Class 2)
- MP-5 Media Transport (Class 2)
- MP-6 Media Sanitization (Class 3)
- Physical and Environmental Protection
- PE-4 Access Control For Transmission Medium (Class 2)
- PE-5 Access Control For Output Devices (Class 2)
- Privacy
- ISO FPR_PSE.1 Pseudonymity (Class 1)
- ISO FPR_PSE.2 Reversible Pseudonymity (Class 1)
- ISO FPR_UNL.1 Unlinkability (Class 1)
- Risk Assessment
- RA-5 Vulnerability Scanning (Class 1)
- System and Communications Protection
- SC-2 Application Partitioning (Class 1)
- SC-3 Security Function Isolation (Class 3)
- SC-4 Information In Shared Resources (Class 2)
- SC-5 Denial Of Service Protection (Class 1)
- SC-7 Boundary Protection (Class 3)
- SC-8 Transmission Confidentiality And Integrity (Class 2)
- SC-10 Network Disconnect (Class 1)
- SC-12 Cryptographic Key Establishment And Management (Class 2)
- SC-13 Cryptographic Protection (Class 1)
- SC-18 Mobile Code (Class 1)
- SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver) (Class 1)
- SC-22 Architecture And Provisioning For Name / Address Resolution Service (Class 1)
- SC-23 Session Authenticity (Class 1)
- SC-24 Fail In Known State (Class 3)
- SC-28 Protection Of Information At Rest (Class 2)
- SC-39 Process Isolation (Class 1)
- SC-42 Sensor Capability And Data (Class 2)
- System and Information Integrity
- SI-3 Malicious Code Protection (Class 1)
- SI-4 Information System Monitoring (Class 1)
- SI-7 Software, Firmware, And Information Integrity (Class 3)
- SI-10 Information Input Validation (Class 1)
- SI-11 Error Handling (Class 1)
- SI-16 Memory Protection (Class 1)
- SI-17 Fail-safe Procedures (Class 3)
- System and Services Acquisition
- SA-10 Developer Configuration Management (Class 1)
- SA-11 Developer Security Testing And Evaluation (Class 1)
- SA-12 Supply Chain Protection (Class 3)
- SA-18 Tamper Resistance And Detection (Class 3)
Compared to Class 4 devices, devices of class 5 will have additional requirements in the areas of:
- N/A